Merge remote-tracking branch 'origin/topic/jsiwek/syslog-missing-pri'

* origin/topic/jsiwek/syslog-missing-pri:
  Make Syslog analyzer accept messages that omit Priority

CHANGES

@@ -1,4 +1,9 @@
 
+2.6-197 | 2019-04-03 09:08:58 -0700
+
+  * Make Syslog analyzer accept non-conformant messages that omit Priority.
+    (Jon Siwek, Corelight)
+
 2.6-195 | 2019-03-27 12:36:34 -0700
 
   * Reduce weird-stats overhead (Justin Azoff, Corelight)

VERSION

@@ -1 +1 @@
-2.6-195
+2.6-197

doc

@@ -1 +1 @@
-Subproject commit e404fc80c5c4ecfd0c4441b6b83826761bd985e9
+Subproject commit 2e66f807daafe754e40571e3d2c10080b6db36cb

scripts/base/protocols/syslog/consts.bro

@@ -29,6 +29,7 @@ export {
 		[21] =  "LOCAL5",
 		[22] =  "LOCAL6",
 		[23] =  "LOCAL7",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
 	
 	## Mapping between the constants and string values for syslog severities.
@@ -41,5 +42,6 @@ export {
 		[5] = "NOTICE",
 		[6] = "INFO",
 		[7] = "DEBUG",
+		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
 }

src/analyzer/protocol/syslog/syslog-analyzer.pac

@@ -7,16 +7,27 @@ connection Syslog_Conn(bro_analyzer: BroAnalyzer)
 
 flow Syslog_Flow
 {
-	datagram = Syslog_Message withcontext(connection, this);
+	datagram = Syslog_Message_Optional_PRI withcontext(connection, this);
 
 	function process_syslog_message(m: Syslog_Message): bool
 		%{
-		BifEvent::generate_syslog_message(connection()->bro_analyzer(),
+		if ( ${m.has_pri} )
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
 			    connection()->bro_analyzer()->Conn(),
 			    ${m.PRI.facility},
 			    ${m.PRI.severity},
 			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
 			    );
+		else
+			BifEvent::generate_syslog_message(
+			    connection()->bro_analyzer(),
+			    connection()->bro_analyzer()->Conn(),
+			    999,
+			    999,
+			    new StringVal(${m.msg}.length(), (const char*)${m.msg}.begin())
+			    );
+
 		return true;
 		%}
 

src/analyzer/protocol/syslog/syslog-protocol.pac

@@ -1,12 +1,27 @@
-type Syslog_Message = record {
+type Syslog_Message_Optional_PRI = record {
-	PRI: Syslog_Priority;
+	lt:       uint8;
+	after_lt: bytestring &restofdata &transient;
+}
+&byteorder = littleendian
+&exportsourcedata
+&let {
+	standard:    Syslog_Message(true) withinput sourcedata &if(lt == 60); # '<'
+	nonstandard: Syslog_Message(false) withinput sourcedata &if(lt != 60);
+};
+
+type Syslog_Message(has_pri: bool) = record {
+	opt_pri: case has_pri of {
+		true  -> PRI: Syslog_Priority;
+		false -> nothing: empty;
+	};
+
 	msg: bytestring &restofdata;
 } &byteorder = littleendian;
 
 type Syslog_Priority = record {
-	lt    : uint8; # &check(lt == 60); # '<'
+	lt    : uint8 &enforce(lt == 60); # '<'
 	val   : RE/[[:digit:]]+/;
-	gt    : uint8; # &check(gt == 62); # '>'
+	gt    : uint8 &enforce(gt == 62); # '>'
 } &let {
 	val_length: int = sizeof(val) - 1;
 	int_val: int = bytestring_to_int(val, 10);

testing/btest/Baseline/scripts.base.protocols.syslog.missing-pri/syslog.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	syslog
+#open	2019-03-15-01-41-39
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	facility	severity	message
+#types	time	string	addr	port	addr	port	enum	string	string	string
+1552584410.781231	CHhAvVGS1DHFjwGM9	192.168.2.118	60786	192.168.2.21	514	udp	UNSPECIFIED	UNSPECIFIED	This is not really a syslog message #173538 1552584410.781186
+#close	2019-03-15-01-41-39

testing/btest/scripts/base/protocols/syslog/missing-pri.bro

@@ -0,0 +1,4 @@
+# @TEST-EXEC: bro -r $TRACES/syslog-missing-pri.trace %INPUT
+# @TEST-EXEC: btest-diff syslog.log
+
+@load base/protocols/syslog